The purpose of this document is to assist Custodians, Users, Managers, and Information Service Providers, (as defined in Boise State Policy 8060 “Information Privacy and Security”) in identifying the level of security required to protect data for which they are responsible.
In order to properly protect data, all university data must be classified into one of three categories. This policy emphasizes steps that must be taken to protect data based on its classification. For example, Level One data should not be left unattended in conference rooms or offices. Level One data has more stringent requirements than Levels Two and Three. However, all require some protective measures.
Data that is personal to the operator of a system and stored on a University IT resource as a result of incidental personal use is not considered university data. University data stored on non-university IT resources must still be verifiably protected according to the respective university minimum security standards.
- Family Educational Rights and Privacy Act (“FERPA”)
- Gramm Leach Bliley Act (“GLBA”)
- Health Insurance Portability and Accountability Act (“HIPAA”)
- Idaho Code § 28-51-105
- Payment Card Industry (“PCI”) Data Security Standard, Version 2.0
Applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to confidential information through Boise State or its affiliates. This policy applies to all university information resources, including those used by the university under license or contract.
University Data: Any data that is subject to state or federal regulation, data that is required to be protected by contractual obligation, as well as all data created, collected, maintained, recorded or managed by the university, its staff, and agents working on its behalf. It includes data used for planning, managing, operating, controlling, or auditing university functions; especially data used by multiple university units; and data used for university reporting.
University data also includes research data that contains personally-identifiable subject information, or proprietary university information and trade secrets. The information covered in this policy includes, but is not limited to, information that is stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing). This policy divides data into three categories:
- Level One – private information that must be protected as required by law or industry regulation
- Level Two – protected information that may be made available with Freedom of Information Act Requests to Examine or Copy Records
- Level Three – information that is public in nature.
Draft Published: April 12, 2011
Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about this policy should be addressed to the Information Security Officer.
Portions of this document are adapted with permission from the University of Texas at Austin, Stanford University, and the SANS Institute Security Policy Project
[Back to Information Technology Policies]